Cybersecurity experts have uncovered a sophisticated phishing scheme that makes use of Google Drawings and WhatsApp-generated shortened links to avoid detection. The campaign aims to deceive unsuspecting users into clicking on fraudulent links that are designed to steal their sensitive information.
“The attackers have cleverly utilized well-known platforms such as Google and WhatsApp to host their malicious elements, as well as an Amazon imitation website to extract victims’ data,” explained Ashwin Vamshi, a researcher at Menlo Security. “This particular attack serves as a prime example of a Living Off Trusted Sites (LoTS) threat.”
The attack commences with a deceptive email that leads recipients to a graphic resembling an Amazon account verification link. This graphic is hosted on Google Drawings to evade detection.
By exploiting legitimate services, attackers can operate with anonymity and circumvent security defenses, making it challenging for security products or firewalls to block their communications.
Vamshi also pointed out the appeal of using Google Drawings at the initial stage of the attack, as it allows the inclusion of links within graphics, which can easily deceive users, especially when they perceive a threat to their Amazon account.
Victims who click on the fake verification link are led to a fake Amazon login page, with the URL masked by two different URL shorteners — WhatsApp (“l.wl[.]co”) and qrco[.]de — to further obfuscate and bypass security measures.
The counterfeit page is designed to extract personal information, credentials, and credit card details before redirecting victims to the authentic Amazon login page. To cover their tracks, the web page becomes inaccessible from the same IP address post-validation of the credentials.
Meanwhile, a vulnerability has been identified in Microsoft 365’s anti-phishing mechanisms, potentially increasing the risk of users falling for phishing schemes.
A hidden CSS technique is being used to bypass the “First Contact Safety Tip” in Microsoft 365, responsible for warning users about emails from unknown sources. Microsoft is aware of the issue but has not yet issued a fix.
“The First Contact Safety Tip is inserted in the HTML body of the email, which allows altering its display using CSS tags,” explained Certitude, a cybersecurity firm. “Furthermore, it’s possible to spoof the icons added by Microsoft Outlook to signify encrypted or signed emails.”